Rewritten Article:
YubiKeys Can Be Duplicated due to Discovered Flaw
A security flaw has been unearthed in YubiKey 5, a popular authentication device, which could allow a skilled and well-equipped hacker to duplicate the gadget. The vulnerability was initially reported by Ars Technica, and it arises due to a cryptographic glitch, a side channel, in the microcontroller of the devices.
YubiKeys are commonly used in multi-factor authentication systems to safeguard sensitive accounts. These devices offer an added layer of security, as gaining access would require physical possession of the key. While passwords can be easily phished, a physical device such as a YubiKey makes unauthorized entry almost impossible.
The vulnerability was identified by NinjaLab, who delved into the Elliptic Curve Digital Signature Algorithm (ECDSA) used by YubiKeys, reverse-engineered parts of its cryptographic library, and designed a side-channel attack.
This newly discovered vulnerability makes it feasible for an attacker, given they have substantial time, expertise, and resources. Yubico, the manufacturer of YubiKeys, released a statement about the vulnerability on its website, along with a detailed report from the security researchers at NinjaLab.
"An attacker could exploit this issue in a sophisticated and targeted attack to recover the affected private keys. For the attack to be successful, the attacker needs physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the attack," Yubico explained in its statement. "Additionally, the attacker may also require additional knowledge such as the user's PIN, account password, or authentication key."
According to NinjaLab, the vulnerability affects all YubiKey 5s utilizing firmware 5.7 or below, as well as "all Infineon security microcontrollers that run the Infineon cryptographic security library." To demonstrate the vulnerability, NinjaLab dismantled a key, connected it to an oscilloscope, and measured the minute fluctuations in the electromagnetic radiation emitted by the key during authentication.
To gain access to something protected by one of these keys, an attacker would need to access the key, dismantle it, and clone the key using sophisticated knowledge and equipment. Afterward, they would have to carefully put the original key back together and return it to the owner.
NinjaLab estimated that the cost of the setup required for this attack would be approximately $10,000, with the use of a more advanced oscilloscope potentially increasing the total cost by an additional $30,000.
It is worth mentioning that this vulnerability might not be limited to YubiKey 5, as it could potentially affect other systems using the same microcontroller. However, NinjaLab hasn't tested other systems yet.
"These security microcontrollers are present in a vast variety of secure systems—often relying on ECDSA-like electronic passports and crypto-currency hardware wallets, but also smart cars or homes. However, we did not check (yet) that the EUCLEAK attack applies to any of these products," NinjaLab stated.
NinjaLab emphasized repeatedly in their research that exploiting this vulnerability requires extraordinary resources. "Thus, as far as the work presented here goes, it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one," the researchers concluded.
- The vulnerability discovered in YubiKey 5, a tech device for authentication, can potentially be exploited by skilled hackers, making use of a side channel in the microcontroller of the devices.
- Despite this vulnerability, YubiKeys remain valuable for multi-factor authentication systems due to their role in safeguarding sensitive accounts, as gaining physical possession is usually required for unauthorized entry.
- Yubico, the manufacturer of YubiKeys, has acknowledged the vulnerability and released a statement along with a report from security researchers at NinjaLab, stating that the attack requires physical possession of the YubiKey, specific knowledge of the targeted accounts, and specialized equipment.
- Future research by NinjaLab may uncover if this vulnerability also affects other tech systems utilizing the same microcontroller, such as electronic passports, crypto-currency hardware wallets, smart cars, or homes, but currently, they have only focused on YubiKey 5.